Transcript zEnterprise Unified Resource Manager

Jerry Stevens
STSM, AIM ENS Architecture Strategy and Design
IBM zEnterprise System
Network Virtualization, Management, and Security
(Part 1: Overview)
Available in Hard Copy Once Presented by the IBM Account Team
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Trademarks
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
IBM*
IBM Logo*
AIX*
BladeCenter*
DataPower*
POWER*
POWER7*
PR/SM
RACF*
Redbooks*
System p*
System x*
System z*
System z10
z10
zEnterprise
z/OS*
z/VM*
z/VSE
* Registered trademarks of IBM Corporation
The following are trademarks or registered trademarks of other companies.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
INFINIBAND, InfiniBand Trade Association and the INFINIBAND design marks are trademarks and/or service marks of the INFINIBAND Trade Association.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
* All other products may be trademarks or registered trademarks of their respective companies.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will
vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be
given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual
environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice.
Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or
any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
2
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Abstract
 You've heard a lot about the IBM zEnterprise™ System. The new machines are faster, more powerful and
more energy efficient. But the most significant change is that other kinds of computers can now be
“plugged into” the mainframe to create an “Ensemble Network” where security exposures are minimized
and the data center can be managed as if it were a single computer. Many questions about speeds, feeds,
feature codes, operating system levels have been answered, but many more questions have been raised
about network design and network security. Attend the sessions in a two-part series to hear the answers to
questions about Ensemble networking: questions on the underlying architecture, on the routing and
security structures, and on the software definitions.
 The first session in the series, “IBM zEnterprise System Network Virtualization, Management, and
Security (Part 1: Overview),” presents a high-level overview of the networking topics surrounding the
new architecture. Part 1 is suitable for both an executive and a technical audience with both architects and
implementers represented.
 The second session, “IBM zEnterprise System Network Virtualization, Management, and Security
(Part 2: Detail),” presents a more detailed view of the underlying architecture, its routing and security
structures, and some of its software definitions. Part 2 is suitable for a technical audience that wants to
understand more about the design, positioning, and implementation of the new architecture.
 Both documents are available at: w3.ibm.com/support/techdocs
3
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Agenda – IBM zEnterprise System Networking Overview








zEnterprise and IBM zEnterprise Unified Resource Manager
(zManager) - Overview
zEnterprise Node Physical Infrastructure
Communications within the Ensemble
Network and OSA Types and Attributes
External Network Access
Network Virtualization Management
Provisioning Virtual Networks
Network Access Control and Security
Notices:
1. All statements regarding IBM future direction and
intent are subject to change or withdrawal without notice,
and represents goals and objectives only.
2. The zEnterprise internal networks are provided
with redundant hardware – redundancy is NOT
shown in this presentation
4
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
IBM zEnterprise System – Best-in-Class Systems and Software Technologies
A “System of Systems” that unifies IT for predictable service delivery
IBM zEnterprise 196 (z196)
IBM zEnterprise 196 (z196)
 Optimized to host large-scale
database, transaction, and
mission-critical applications
 The most efficient platform
for large-scale Linux®
consolidation
 Capable of massive scale-up
 New easy-to-use z/OS®
V1.12
5
IBM
zEnterprise
Unified
zEnterprise
Unified
Resource
Resource Manager
Manager
(zManager)
 Unifies management of
resources, extending IBM
System z® qualities of service
end-to-end across workloads
 Provides platform, hardware
and workload management
* All statements regarding IBM future direction and intent are subject to change or withdrawal without notice,
and represents goals and objectives only.
Restricted Distribution
IBM zEnterprise
zEnterprise
BladeCenter
®
BladeCenter
ExtensionExtension
(zBX)
(zBX)
 Selected IBM POWER7®
blades and IBM System x®
Blades* for tens of thousands
of AIX® and Linux applications
 High-performance optimizers
and appliances to accelerate
time to insight and reduce cost
 Dedicated high-performance
private network
© 2010 IBM Corporation
AIM ENS Architecture Strategy and Design
IBM zEnterprise System – Best in Class Systems and Software Technologies
A System of Systems that unifies IT for predictable service delivery
Unified management for a smarter system:
zEnterprise Unified Resource Manager
The world’s fastest and
most scalable system:
IBM zEnterprise 196
(z196)
 Ideal for large scale
data and transaction
serving and mission
critical applications
 Most efficient platform
for Large-scale Linux®
consolidation
 Leveraging a large
portfolio of z/OS and
Linux on System z
applications
 Capable of massive
scale up, over 50 Billion
Instructions per Second
(BIPS)
6
 Unifies management of resources,
extending IBM System z qualities of service
end-to-end across workloads
 Provides platform, hardware and workload
management
Scale out to a trillion
instructions per second:
IBM zEnterprise
BladeCenter Extension
(zBX)
 Selected IBM POWER7
blades and IBM System x
Blades1 for tens of
thousands of AIX and
Linux applications
 High performance
optimizers and appliances
to accelerate time to
insight and reduce cost
 Dedicated high
performance private
network
HMC
1 All statements regarding IBM future direction and intent are subject to change or withdrawal without notice,
and represents goals and objectives only.
Restricted Distribution
© 2010 IBM Corporation
AIM ENS Architecture Strategy and Design
zEnterprise Unified Resource Manager
Hardware Management
Energy Management
Hypervisor Management
▀ Monitoring and trend reporting of CPU
energy efficiency.
▀ Ability to query maximum potential
power.
▀ Integrated deployment and
configuration of hypervisors
▀ Hypervisors (except z/VM®) shipped
and serviced as firmware.
▀ Management of ISO images.
▀ Creation of virtual networks.
Hypervisors
Energy
Operational Controls
▀ Auto-discovery and configuration
support for new resources.
▀ Cross platform hardware problem
detection, reporting and call home.
▀ Physical hardware configuration,
backup and restore.
▀ Delivery of system activity using
new user.
Operations
Networks
Performance
Virtual
Servers
HMC
Key
Network Management
▀ Manage suite
▀ Automate suite
▀ Management of virtual networks including access
control
7
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
zEnterprise Unified Resource Manager
Platform Management
Hypervisor Management
Energy Management
▀ Manage and control communication
between virtual server operating
systems and the hypervisor.
▀ Static power savings
Hypervisors
Operations
Networks
Workload Awareness and
Platform Performance
Management
Energy
Performance
Virtual
Servers
HMC
▀ Wizard-driven management of
resources in accordance with
specified business service level
objectives
▀ HMC provides a single
consolidated and consistent view
of resources
▀ Monitor resource use within the
context of a business workload
▀ Define workloads and associated
performance policies
Virtual Server Lifecycle Management
▀ Single view of virtualization across platforms.
▀ Ability to deploy multiple, cross-platform virtual
servers within minutes
▀ Management of virtual networks including
access control
Key
▀ Manage suite
▀ Automate suite
8
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
zEnterprise
hardware
management
andResource
platform management
…
… Value Made
Possible
By the Unified
Manager
Simplified installation
of hypervisors
Energy Management
Simplified
energy
management
▀ Monitoring and
trend reporting
of CPU
energy efficiency.
▀ Ability tocost
querysavings
maximum potential power.
Energy
▀ Static power savings.
Gain significant time to
market with improved
speed of deployment
Hypervisors
Energy
Operational
Controls
Save
time, cost
and simplify
▀ Auto-discovery
and configuration
asset
management
support for new resources.
Operations
Performance
Decrease
problem
determination
▀ Cross platform
hardware
problem
and
resolution
time
for
detection, reporting and
callcrosshome.
platform
resources
▀ Physical hardware configuration,
Smart business adjustments
based on workload insight
Networks
backup and restore.
Improve and simplify cross▀ Delivery of system activity using new
platform
availability procedures
Virtual
Servers
user.
Enable broader and more
granular view of resource
consumption
Allow critical workloads to
receive resources and
priority based on goaloriented policies established
by business requirements
HMC
Provide deep insight into
how IT resources are being
used
Gain
consistency
and
Virtualflexibility,
Server Lifecycle
Management
uniformity of virtualization
Network
FactoryManagement
installed and configured network
▀ Management of virtual networks including access control
Improved network security with lower
latency, less complexity, no
encryption/decryption
▀ Single view of virtualization across platforms.
▀ Ability tothe
deploy
multiple, cross-platform
Provide
business
with fastervirtual
time
servers
within
minutes
to market
▀ Management of virtual networks including
access control
Simplified network management for
applications
© 2010 IBM Corporation
9
Restricted Distribution
AIM ENS Architecture Strategy and Design
zEnterprise Networking Value Points
 Network Simplification
– Single physical network and zBX “package” (physical network integration)
– Central point of Management (zManager via the HMC/SE)
 Secure communications
– Physical security (internal / dedicated network equipment)
– Logical security (controlled access)
– Network Virtualization and Isolation
 High Availability
– Redundant Network Hardware
– Logical failover
 Unique System z QoS
– Isolated / dedicated equipment
– Special purpose dedicated
data network & OSA-Express
(no encryption required)
10
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
IBM zEnterprise System Overview
POWER®
PR/SM
PR/SM™
xHyp
xHyp
xHyp
xHyp
xHyp
pHyp
pHyp
pHyp
pHyp
pHyp
ISS
ISS
DP
DataPower®
DP
Cell
ISAOPT
Cell
DWA
future
DWA
future
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
AIX
z/VM
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Virtual Machine
z/OS
Virtual Machine
z/OS
Virtual Machine
z/OS
Virtual Machine
z/OS
HMC
Virtual Machine
z/OS
System x
System
Z CPU,
z CPU,
Memory
Memory
and and
IO IO
SE
SE
z Blade Extension
z Blade Extension
zBX
AMM
AMM
AMM
Connecting the pieces with zManager!
1
All statements regarding IBM future direction and intent are subject to change or
withdrawal without notice, and represents goals and objectives only.
11
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Putting zEnterprise System to the Task
z/VM
Blade Virtualization
Future Offering
AIX on
POWER7
Linux on
System x 1
Future Offering
z/OS
Linux
on
System z
Optimizers
DataPower 1
z/TPF
z/VSE™
Linux on
System z
Select IBM Blades
Smart Analytics Optimizer
System z Host
with Unified Resource Manager
System z Hardware Management Console (HMC)
Use the smarter solution to improve your application design
Blade Virtualization
System z PR/SM
System z HW Resources
Blade HW Resources
Support Element
zBX
Private data network (IEDN)
Unified Resource
Manager
1
12
Private Management Network INMN
Private High Speed Data Network IEDN
Customer Network
All statements regarding IBM future direction and intent are subject to change or
withdrawal without notice, and represents goals and objectives only.
Restricted Distribution
Customer Network
© 2010 IBM Corporation
AIM ENS Architecture Strategy and Design
IBM zEnterprise Node with Internal Networks
Customer managed
Management Network
z196
TOR
Switches
zBX
(2 frames)
zEnterprise Node
HMC
intranode
management
network
intraensemble
data network
zEnterprise Node
Customer managed
Data Networks
OSD OSAs
13
OSM & OSX
OSAs
BC
Chassis
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
IBM zEnterprise – Internal Networks
(A)
(B)
Private System
Control Network
Firewall
intranode
management network
FSP
System z Frame
FSP
HMC
System z virtual server
SE
System z virtual server
System z virtual server
BPC
Two New
zEnterprise
Networks (B & C)
System z virtual server
zBX Rack
BC-2
AMM
p virtual server
p virtual server
BC-1
ISAOPT
ISAOPT
(D) Customer Managed
Management Network
zEnterprise Node 1
(C)
intraensemble
data network
The IEDN is the
primary focus of this
presentation
(E)
Customer Managed External
Data Network
zEnterprise Node 2
IEDN spans
14
Nodes
Restricted Distribution
© 2010 IBM Corporation
AIM ENS Architecture Strategy and Design
IBM zEnterprise – Ensemble and intraensemble Data Network
zEnterprise Ensemble
A collection of one or more zEnterprise
Node 1
Nodes (including any optionally attached
zBX) that are managed as a single logical
virtualized system by the zManager using a
Node 2
Hardware Management Console (HMC).
Node 3
Ensemble Member
A zEnterprise node that has been
intraensemble data network
added to an ensemble using the
HMC.
15
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
IBM zEnterprise – intraensemble Data Network Key Attributes
zEnterprise Ensemble
Ensemble Member
Node 1
Node 2
Node 3
intraensemble data network
– key attributes:
1.
2.
3.
4.
5.
6.
7.
8.
single dedicated physical / flat layer 2 10 GbE network
Comprised of IBM zEnterprise (redundant) equipment (no external / customer hardware)
Can span nodes (i.e. can be shared by all co-located nodes within the Ensemble - 10km limit)
No layer 3 IP Routing required to communicate within the Ensemble
IP addresses (IPv4 or IPv6) are customer controlled (provisioned)
MAC addresses (prefixes) are provisioned / coordinated by zManager (HMC)
Access to the network is controlled by the zManager (HMC) via SE via OSX, hypervisors and physical
switches
Virtual servers can be isolated into multiple groups on the physical network by defining multiple virtual
networks (multiple VLANs) based on workloads and other isolation requirements
16
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
IBM zEnterprise – OSA and Network Types
HMC
SE
zEnterprise Node
1. Customer
External Network
(OSD CHPID)
z196 CPC
LP 1
LP 2
LP 3
LP 4
LP 5 (zVM 1)
z/OS 1
z/OS 2
z/OS 3
z/OS 4
VS1
VS2
VS3
VS4
VSwitch
OSD OSA
OSX OSA
OSM OSA
BC
TOR-A
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
TOR-B
zBX Racks
WAN
LAN extends to
other nodes
2. intraensemble
3. intranode
data network
management network
10GbE (OSX CHPID)
1GbE (OSM CHPID)
17
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
External Network Access – Option 1 – System z (LP) IP Router
HMC
SE
zEnterprise Node
z196 CPC
Option #1
via System z (z/OS)
LP 1
LP 2
LP 3
LP 4
LP 5 (zVM 1)
z/OS 1
z/OS 2
z/OS 3
z/OS 4
VS1
VS2
VS3
VS4
IP Router
(OSD CHPID)
VSwitch
OSD OSA
OSX OSA
OSM OSA
BC
TOR-A
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
TOR-B
zBX Racks
WAN
LAN extends to
other nodes
intraensemble
intranode
data network
management network
10GbE (OSX CHPID)
1GbE (OSM CHPID)
18
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
External Network Access – Option 2 – External IP Router
HMC
SE
zEnterprise Node
Option #2
z196 CPC
Customer External
Router / Firewall
LP 1
LP 2
LP 3
LP 4
LP 5 (zVM 1)
z/OS 1
z/OS 2
z/OS 3
z/OS 4
VS1
VS2
VS3
VS4
…direct to TOR
VSwitch
OSD OSA
OSX OSA
OSM OSA
…and to
BC
system z LPs
TOR-A
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
BC
ES
M
ES
M
TOR-B
zBX Racks
WAN
External
LAN extends to
Load Balancer
other nodes
intraensemble
intranode
data network
management network
10GbE (OSX CHPID)
1GbE (OSM CHPID)
19
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Multiple Enterprise Nodes – Sharing zBX(s) within single Node
SE 1
System z
OSA (OSX)
zEnterprise
TOR
BC
BC
BC
BC
Node 1
ESM
ESM
ESM
ESM
(with zBX)
zBX Racks
intraensemble
Configuration - Multiple Enterprise Nodes (sharing zBX rack(s))
data network
SE 2
System z
LP 1
LP 2
LP 3
z/OS 1
z/OS 2
z/OS 3
LP 4
z/OS 4
LP 5 (zVM 1)
VS1
VS2
VS3
VS4
zEnterprise
Node 2
(without zBX)
VSwitch
OSA (OSX)
20
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Migration Configuration (Down-level CPC) for DB2 / ISAOPT
System z
Migration Port
OSX OSA
zEnterprise
(external VLAN)
TOR
BC
BC
ISAOPT
ESM
ESM
ESM
ISAOPT
Node
(with ISAOPT)
ESM
BC Racks
Migration Configuration (direct zBX access)
System z10 (with DB2) with direct access to (sharing) zEnterprise for ISAOPT
System z
LP 1
LP 2
LP 3
LP 4
z/OS 1
z/OS 2
z/OS 3
z/OS 4
DB2
DB2
LP 5 (zVM 1)
VS1
VS2
VS3
VS4
System
z10
VSwitch
OSD OSA
21
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Migration Configuration (Down-level CPC) for Other workloads
Layer 3 IP Router
SE 1
System z
Firewall
OSA (OSX)
External Network
zEnterprise
TOR
BC
BC
BC
BC
Node 1
ESM
ESM
ESM
ESM
(with zBX)
zBX Racks
intraensemble
data network
Migration Configuration (direct zBX access)
System z10 (other application workloads using external (indirect) network access to zEnterprise)
System z
LP 1
LP 2
LP 3
LP 4
z/OS 1
z/OS 2
z/OS 3
z/OS 4
LP 5 (zVM 1)
VS1
VS2
VS3
VS4
System
z10
VSwitch
OSA (OSD)
External
Network
(general application workloads such as IMS / DP)
22
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Network Hardware Redundancy
System z
OSX
OSX
OSX
OSX
BC
TOR
TOR
ESM
ESM
zBX Racks
Redundant Network Hardware (High Availability)
(Redundant OSAs, TORs, ESMs, and blade NICs)
With the ability to add additional OSAs (additional bandwidth)
23
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Virtual Network Concepts – Creating Virtual Networks
Step 1. Create / Define a Virtual Network
Network Name = Production Net
VLAN ID = 300
Production Net
Sales Production Net
… from the HMC
HMC
300
24
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Virtual Network Concepts – Adding Virtual Servers
… once you have a Virtual Network…
Step 2. …as necessary …add (associate / authorize)
Virtual Servers to the Virtual Network
“Production Net”
Server ID
VLAN ID = 300
Virtual Networks consist of
two key properties:
1.
2.
VLAN ID (IP subnet)
List of Authorized Servers
25
Add Hosts to Virtual Network…
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Deploying a Virtual Network – Example 1
Server A
IP A
Server B
IP B
Server C
Server D
IP C
IP D
single Virtual Network
Single IP subnet and VLAN
ID
Production Net
TORID
Switch
(VLAN
= 300”)
IP E
Server E
IP F
IP G
Server G
Server F
All servers can have a
single IP interface and
all IP address are
from the same IP subnet
IP I
IP J
IP K
IP L
Server I
Server J
Server K
Server L
IP H
Server H
(e.g. 9.27.200.xxxx)
Multiple Interfaces are created
for redundancy!
26
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Deploying Multiple Virtual Networks – Example 2 - Isolation
Server A
IP A
1.
Server B
IP B
Server C
Server D
IP C
IP D
… each having unique
VLAN IDs and IP subnets
Define Multiple
Virtual Networks
IP E
IP F
Server E
“Production Network”
VLAN ID 300 TOR Switch
“Development Network”
VLAN ID 500
IP G
Server G
Server F
2..Then add virtual servers
to each virtual network
as needed…
IP I
IP J
IP K
IP L
Server I
Server J
Server K
Server L
IP H
Server H
…which isolates “Production Servers” from “Development Servers”
27
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Deploying Multiple Virtual Networks – Isolation
1.
Server A
Server B
Server C
Server D
IP@ A.1
IP@ A.2
IP@ A.3
IP@ A.4
… each having unique
VLAN IDs and IP subnets
Define Multiple
Virtual Networks
“Marketing Network”
Switch
VLAN ID 300 TOR
“Development Network”
(subnet “A”)
VLAN ID 500
Server E
Server F
IP@ A.5
IP@ A.6
(subnet “B”)
2..Then add virtual servers
to each virtual network
as needed…
Server I
Server J
Server K
Server L
IP@ B.3
IP@ B.4
IP@ B.5
IP@ B.6
Server G
Server H
IP@ B.1
IP@ B.2
… zManager isolates “Marketing Servers” from “Development Servers”
28
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
zEnterprise Virtualization and Network Access Control
z/VM
VS 1
VS 2
VS 3
VS 4
VS 5
VS 6
VS 7
VS 8
VSwitch 2
PR/SM
P
SE
VSwitch 1
Net A
OSX
BLADE 2
VS VS VS
VS VS VS
9
zBX
HMC
BC
Net C
BLADE 1
TOR
ESM
Net B
10
11
pHype
12
13
14
xHype
zManager pushes virtual network access control information to the
node and the SE propagates to control points (OSX and Hypervisors)
29
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Putting It All Together…with Secure Access Control!
Server
Server Server Server
A (G0)
B
C
(G1)
(G2)
System z
Blade Center
D
Server Server Server
Chassis
E
F
Optimizer A
G
ISAOpt
(Server ID Y)
z/OS
pHype VSwitch C
zVM VSwitch B
NVM configures specific VLANs
Blade A
Blade B
Image
VSwitch A
Image
OSX OSA
OSA Port 0
External Ports
TOR A
Internal Ports
External Ports
TOR (A) Port 0
IEDN Core Physical Network
ESM A
ESM (A)
Blade A
Port 0
Port 2
Port 1
Internal Ports
Blade B
Port 2
Management Port
Management Port
Configure (allow) all VLANs
IEDN Physical Edge
IEDN Physical Edge
zBX
(System z side)
(blade side)
HMC
BPH Ports
SE
Note that all network components are duplicated to provide
full redundancy.. redundancy is not shown
30
zEnterprise zManager controls
network access at the physical and
at the virtual switches (hypervisors)!
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Connecting the Customer External Data Network to the intraensemble Data
Network – Using Unique VLANs
2
2. Enter through a
External Router to the
zBX TOR.
External Customer Data
Network
Router
MAC Filtering
Virtual Server
Virtual Servers
LINUX
LINUX
51
55
TCPIP1 (z/OS1)
VLAN Enforcement
Top of Rack
IP Filtering
VLAN
B
VLAN Enforcement
OSD
OSX
Hypervisor
VLAN Enforcement
VLAN
Enforcement
IP Filtering
VLAN A
Router
1
External
Customer
Data
Network
IEDN
1. Enter through zCPC via
z/OS via an OSD.
zBX
Virtual
Server72B
* and* Network Access
Control through RACF®
31
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Exploiting External Firewalls within the Ensemble
10.55.100.1
Router
External Firewall and
IP Router are used to
cross zones (VLANs)
External Customer
Data Network
10.67.124.1
Eth1-10.24.104.104
Virtual Server 22A
IP Filtering
VLAN Enforcement
OSX 10.67.124.100
OSD
OSX
MAC Filtering
Virtual Servers
LINUX
LINUX
51
55
VIPA 10.67.124.120
TCPIP1 (z/OS1)
192.12.144.1
VLAN Enforcement
Top of Rack
VLAN C
VLAN
B
Hypervisor
VLAN Enforcement
VLAN
Enforcement
Eth2-10.24.104.108
VLAN A
Router
External
Customer
Data
Network
Eth1-192.12.144.100
IEDN
Server 72B uses external
firewall and IP router to
access server 22A
32
zBX
Virtual
Server72B
External Network Access
Uses different VLANs
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Configuring TOR - External Network Access
Two Use Cases:
1. z10™ Access
2. External IP Router
33
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Summary - Exploiting the intraensemble Data Network
Once all hardware / physical installation and System z HCD configuration tasks are
complete… then you are ready to exploit the IEDN:
Key concepts / reminders:
1. All network traffic on the IEDN must use an “authorized” VLAN ID!
2. The VLAN ID maps to a corresponding Virtual Network
3. All host images (Operating Systems) on all platforms within the Ensemble are represented
as a Virtual Server
Hypervisors
Key zManager network related configuration tasks:
1. Virtual Network Configuration (at the HMC) consist of:
– defining a virtual network (VLAN ID)
Operations
Energy
Performance
2. Virtual Server configuration:
– Define each virtual server
– Associate each virtual server with the proper Virtual network
3. Virtual Switch configuration (if applicable – N/A to native LPs)
Networks
Virtual
Servers
Finally - Operating System network configuration tasks (IP address, VLAN ID, etc.) remain
within the OS – the OS VLAN ID must match the HMC VLAN ID configuration
34
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
References
35
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
References (White Papers, FAQs, Presentations)
 zEnterprise System Frequently Asked Questions (FAQs)
– www.ibm.com/systems/z/faq
 zEnterprise Network Security White Paper (ZSW03167-USEN-00) and Other Resources
– www.ibm.com/systems/z/resources (Select “Literature” Entries)
– http://www.ibm.com/common/ssi/cgibin/ssialias?infotype=SA&subtype=WH&appname=STGE_ZS_ZS_USEN&htmlfid=ZSW03167USEN
&attachment=ZSW03167USEN.PDF
 IBM zEnterprise System Network Virtualization, Management, and Security (Parts 1
and 2: Overview and Detail)
– w3.ibm.com/support/techdocs
 IBM System z Hardware Management Console Security White Paper
– Author Kurt Schroeder ([email protected]), Sept. 2008
– http://nascpok.pok.ibm.com/rsf/zHMCSecurityWhitepaper.pdf
36
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
References (Hardware)
 zBX Publications
–
–
–
–
–
–
–
–
zBX Service Guide GC28-6884-01
zBX Installation Manual (2458-002) GC27-2610-00
zBX IMPP (2458-002) GC27-2611-00
zBX Service Education SE245800
zBX Safety Inspection (for mod 1 and 2) GC28-6889-00
IBM License Agreement for Machine Code SC28-6872-00
Systems Environmental Notices and User Guide Z125-5823-02
Systems Safety Notices G229-9054-02
 Redbooks (www.redbooks.ibm.com)
–
–
–
–
–
–
IBM zEnterprise Technical Introduction, SG24-7832
IBM zEnterprise Technical Guide, SG24-7833
IBM zEnterprise Configuration Setup, SG24-7834
IBM zEnterprise Platform Management, SG24-7835
IBM System p® Advanced POWER Virtualizaiton Best Practices, redp4194
IBM BladeCenter JS12 and JS22 Implementation Guide, SG24-7655)
 zBX 2458-002 SAPR Guide
– SA10-006
2458 TDA Confirmation Form
 System z and zEnterprise
– Input/Output Configuration Program User's Guide for ICP IOCP, SB10-7037-08
37
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
References (Software and Security)
 z/OS Ensemble Implementation
–
–
–
–
z/OS Communications Server V1R12 SNA Network Implementation Guide (SC31-8777)
z/OS Communications Server V1R12 SNA Network Definition Reference (SC31-8778)
z/OS Communications Server V1R12 IP Configuration Guide (SC31-8775)
z/OS Communications Server V1R12 IP Configuration Reference (SC31-8776)
 IPv6 Information
– z/OS Communications Server V1R12 IPv6 Network and Application Design Guide (SC31-8885)
 z/VM Ensemble Implementation
• z/VM 6.1 with Small Programming Enhancement (SPE): CP Planning and Configuration (SC24-6083)
 Introducing the IBM Security Framework and IBM Security Blueprint to Realize
Business-Driven Security; IBM RedGuide REDP-4528-00, July 2009
– www.redbooks.ibm.com
 Security on the IBM Mainframe, SG24-7803-00 Redbooks®, published 30 April 2010
– www.redbooks.ibm.com
 Introduction to the New Mainframe: Security, SG24-6776-00
Redbooks, published 3 April 2007, last updated 26 April 2007
– www.redbooks.ibm.com
38
© 2010 IBM Corporation
Restricted Distribution
AIM ENS Architecture Strategy and Design
Questions ??
Thank You!
[email protected]
ZSP03433-USEN-01
39
Available in Hard Copy Once Presented by the IBM Account Team
Restricted Distribution
© 2010 IBM Corporation
AIM ENS Architecture Strategy and Design
Questions? - Thank You! [email protected]
Available in Hard Copy Once Presented by the IBM Account Team
40
ZSP03439-USEN-00
© 2010 IBM Corporation
Restricted Distribution